Check out the results from our first round of ATT&CK Evaluations at!

Enterprise Matrix - Linux

The matrix below includes techniques spanning the Linux platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and macOS are also available for navigation.

Last Modified: 2018-10-17T00:14:20.652Z
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseCommand-Line Interface.bash_profile and .bashrcExploitation for Privilege EscalationBinary PaddingBash HistoryAccount DiscoveryApplication Deployment SoftwareAudio CaptureAutomated ExfiltrationCommonly Used Port
Exploit Public-Facing ApplicationExploitation for Client ExecutionBootkitProcess InjectionClear Command HistoryBrute ForceBrowser Bookmark DiscoveryExploitation of Remote ServicesAutomated CollectionData CompressedCommunication Through Removable Media
Hardware AdditionsGraphical User InterfaceBrowser ExtensionsSetuid and SetgidDisabling Security ToolsCredential DumpingFile and Directory DiscoveryRemote File CopyClipboard DataData EncryptedConnection Proxy
Spearphishing AttachmentLocal Job SchedulingCreate AccountSudo CachingExploitation for Defense EvasionCredentials in FilesNetwork Service ScanningRemote ServicesData StagedData Transfer Size LimitsCustom Command and Control Protocol
Spearphishing LinkScriptingHidden Files and DirectoriesSudoFile DeletionExploitation for Credential AccessNetwork SniffingSSH HijackingData from Information RepositoriesExfiltration Over Alternative ProtocolCustom Cryptographic Protocol
Spearphishing via ServiceSourceKernel Modules and ExtensionsValid AccountsFile Permissions ModificationInput CapturePassword Policy DiscoveryThird-party SoftwareData from Local SystemExfiltration Over Command and Control ChannelData Encoding
Supply Chain CompromiseSpace after FilenameLocal Job SchedulingWeb ShellHISTCONTROLNetwork SniffingPermission Groups DiscoveryData from Network Shared DriveExfiltration Over Other Network MediumData Obfuscation
Trusted RelationshipThird-party SoftwarePort KnockingHidden Files and DirectoriesPrivate KeysProcess DiscoveryData from Removable MediaExfiltration Over Physical MediumDomain Fronting
Valid AccountsTrapRedundant AccessIndicator Removal from ToolsTwo-Factor Authentication InterceptionRemote System DiscoveryInput CaptureScheduled TransferFallback Channels
User ExecutionSetuid and SetgidIndicator Removal on HostSystem Information DiscoveryScreen CaptureMulti-Stage Channels
TrapInstall Root CertificateSystem Network Configuration DiscoveryMulti-hop Proxy
Valid AccountsMasqueradingSystem Network Connections DiscoveryMultiband Communication
Web ShellObfuscated Files or InformationSystem Owner/User DiscoveryMultilayer Encryption
Port KnockingPort Knocking
Process InjectionRemote Access Tools
Redundant AccessRemote File Copy
RootkitStandard Application Layer Protocol
ScriptingStandard Cryptographic Protocol
Space after FilenameStandard Non-Application Layer Protocol
TimestompUncommonly Used Port
Valid AccountsWeb Service
Web Service